[ https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lukasz Lenart closed WW-4815. ----------------------------- > Migrating Struts 2.3.16.3 to 2.3.32 > ----------------------------------- > > Key: WW-4815 > URL: https://issues.apache.org/jira/browse/WW-4815 > Project: Struts 2 > Issue Type: Task > Components: Core > Affects Versions: 2.3.16.3 > Reporter: Deborah White > Fix For: 2.3.32 > > > I need some assistance and am hoping you can provide some insight. I know > this is probably not the place to do this, but I'm not finding answers > elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability. > The problem is that the excluded classes in the struts-default.xml are being > used by my application and I certainly do not have time to do a rewrite. > This is the Warning I get and then my application does not run as it should > because it seems it is not forwarding the roles: > WARN [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target > [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of > member [public boolean > javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] > are excluded! > I need to know how I can safely modify the struts-default.xml and still have > the fix for the vulnerability. Also, if there is something I can instead > include in my struts.xml file that would override, that would be better. > Thank you. -- This message was sent by Atlassian JIRA (v6.4.14#64029)